Comey's comment, made Oct. 16 in a speech at the think tank Brookings Institute, was sparked by Apple's new mobile operating system that enables the company to sell iPhones with data being encrypted as the default setting (see Apple iOS 8 Reboots Privacy, Security). That means only the owner of the device has the key to unlock the data. Google says it's updating its mobile operating system for Android devices to provide the same encryption data protection.

"People previously used safes and combination locks to keep their information secure - now they use encryption," Google says in a statement. "It's why we have worked hard to provide this added security for our users." Apple didn't respond for a request for comment.

The law Comey wants updated is the Communications Assistance for Law Enforcement Act, known as CALEA, which requires telecommunications carriers and makers of telecommunications equipment to ensure that they have built-in surveillance capabilities. That allows law enforcement authorities with court approval to monitor telephone and Internet traffic. CALEA does not cover new Internet companies, such as social media companies. Comey thinks the law should.

Struggling with Change

"We are struggling to keep up with changing technology, and to maintain our ability to actually collect the communications we are authorized to intercept," Comey says. "And if the challenges of real-time interception threaten to leave us in the dark, encryption threatens to lead all of us to a very dark place."

Comey did not offer a specific solution on how the law should be changed to prevent companies like Apple from giving total control over the encryption key to its owner. But he says such a situation stymies law enforcement agencies probing crimes because even with a court order, investigators would not be able to decrypt coded data without the cooperation of a criminal suspect.

"We have to find a way to help these companies understand what we need, why we need it, and how they can help, while still protecting privacy rights and providing network security and innovation," Comey says. "We need our private sector partners to take a step back, to pause, and to consider changing course."

Relying on the suspect to give up the encryption key won't always work, he says. "If we had a child predator in custody, and he could choose to sit quietly through a 30-day contempt sentence for failure to provide his password, or he could risk a 30-year sentence for production and distribution of child pornography, which do you think he would choose?" Comey asks.

Solving Crimes with Decrypting Data

But privacy and civil liberties advocates dismiss Comey's assertions that criminal investigations would be stymied by not giving law enforcement access to encrypted data on mobile devices. Mark Jaycox, a legislative analyst at the digital civil liberties advocacy group the Electronic Frontier Foundation, says that an examination of FBI reports reveals that only six times in the past 10 years have criminal investigations been hampered because of encrypted data. "Encryption is not a be-all, end-all on serious criminal investigation," Jaycox says.

The FBI has been solving crimes for decades with rarely having to resort to decrypting data, civil libertarians contend. "Law enforcement already has many legitimate ways to obtain the data stored on our devices," says Nuala O'Connor, president of the Center for Democracy and Technology, a not-for-profit group promoting an open Internet. "Weakening the security of smart phones and trusted communications infrastructure should not be one of them."

Rob Shavell, chief executive of the online privacy company Abine, says the fact that criminals' data remaining encrypted could prove unfortunate for investigators but it's the price to be paid to safeguard the privacy of most individuals. As an example, Shavell cites one of Abine's products that lets customers transfer encrypted data using Dropbox, with the customers retaining control of the encryption key.

"Could there be criminals in our mix of millions of users? Yes, there could," Shavell says. Should the law be changed to catch "a couple of criminals more easily" if that means potentially exposing data of innocent individuals? he asks. "Our position is that it's not worth the tradeoff."

Weighing Diametrically Opposing Views

The decision whether the law will be changed is up to Congress, and Comey is calling for a national debate that could help lawmakers decide whether to enact new legislation.

A day before Comey's speech, in an interview with Information Security Media Group, Sen. Thomas Carper, D-Del., conceded he's struggling with this issue, saying experts he highly regards offer diametrically opposed views on whether law enforcement should have access to encrypted data on mobile devices.

"I'm not of two minds on this," says Carper, who chairs the Senate committee with government IT security oversight. "I'm just trying to figure what is, again, the right thing to do, and I have not figured that out yet."

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.